Microsoft Office SharePoint Server 2007 and
Novell eDirectory LDAP Authentication

By Nick Kellett
June 11, 2007

Article Note: (Click all images to enlarge)

Microsoft Office SharePoint Server 2007 is a great web platform. It's robust, secure, and extensible. Sometimes it can be a little hard to figure out though.

During one recent implementation I had to connect to Novell eDirectory to import user profiles and authenticate via Lightweight Directory Access Protocol  (LDAP). A quick search of the net turned up some information about using LDAP in SharePoint, but lots of people were still having problems connecting to Novell eDirectory.

Liam Cleary's excellent blog articles, "MOSS2007 – Multiple Authentication Providers" and "MOSS 2007 - LDAP Authentication" were a huge help to me in figuring out how to do this. This article will provide some step-by-step instructions for importing your Novell users and authenticating them in MOSS 2007, and in particular will cover some little gotcha's you might run into along the way.

Adding an LDAP Membership Provider: Get Your Hands Dirty

LDAP  Browser 2.6, available from Softerra as a freeware version at http://www.ldapbrowser.com/download.htm, is a great little tool to help you confirm what objects and properties you are trying to import. The first order of business should be to get your hands on such a tool. It will be your debugger and "sanity check" if you're not getting the results you expect in SharePoint. Once you've installed it, create a new profile that connects and returns your Novell eDirectory users and groups.

Now things immediately get a little messy. To begin with, MOSS 2007 is built upon the .NET 3 framework, which uses a plug-and-play concept called the Provider Model. This model allows you to use multiple mechanisms to provide core functionalities such as site navigation information, user roles, and user authentication. MOSS 2007 uses a default authentication provider, the Windows Authentication Provider, to import users from Windows NT or Active Directory. We need to add an additional provider, the LDAP Membership Provider. To do this, log in to your MOSS server and browse to the web.config files for your SharePoint Central Administrator, Shared Services Provider, and Default Portal websites. Where these are located depends on where you set up the default folders when you installed SharePoint. They can often be found by default in c:\inetpub\wwwroot. Note that if you installed multiple web front end servers, the Central Administrator web.config will only be found on one of them, while the portal website web.config might be found on all of them.

In each of these web config files, add the following within the System.Web element (after making a file backup!):

<membership > <providers> <add name="LdapMembership" type="Microsoft.Office.Server.Security.LDAPMembershipProvider, Microsoft.Office.Server, Version=12.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C" server="[LDAP Server]" port="389" useSSL="false" useDNAttribute="false" userDNAttribute="uid" userNameAttribute="uid" userContainer="[LDAP path to get base containers and Root object]" userObjectClass= "user"userFilter="(ObjectClass=person)" scope="Subtree" otherRequiredUserAttributes="sn,givenName,cn" /> </providers> </membership>

By adding this to the web.config, we are telling SharePoint that at runtime it has access to Microsoft's LDAPMembershipProvider class, which contains code to connect to an LDAP store. There are a few things to note here. To begin with, you have to provide the membership provider with a unique name. This is important as you will refer to this name elsewhere in the setup. Fill in the server attribute with the fully qualified domain name or ip address of the LDAP server, and its port number (the default is 389). Your userContainer information is what will allow you to get at the users and groups contained in this directory. You can test all of this by using your LDAP tool, to ensure that you are calling the correct container and root object. If your tool can return information using these settings, then so can the LDAPMembershipProvider.

Having setup the provider in the web config files, we'll now go into SharePoint Central Administrator and start by importing your users into the User Profile database.

Importing User Profiles

Create A New Connection in the Shared Service Provider

Log in to your SharePoint Central Administration site. Select your Shared Service Provider and click on "User profiles and properties" under the "User Profiles and My Sites" column. On this page click on the link, "Manage Connections". Click on "Create New Connection".

Give the connection a meaningful name. In the Directory service server name textbox, enter the server name or ip address of your LDAP server. For Provider name, you must enter the name you gave your LDAP provider previously. It's safest to copy this directly from the web.config file to make sure you don't mispell it. For username attribute, use either "uid" or "cn". Make sure that whatever you use is also specified in the web.config file - it should match whatever you have in the userDNAttribute and  userNameAttribute LDAP Membership Provider attributes.

Once you've entered these, hit "Auto Fill Root Search Base". This will automatically bind to your LDAP store. If you want to narrow the search base you can enter the appropriate container in the Search base field, and change the User filter as well if you like (one possible option is to set the filter to (&(objectClass=*) to return everything).

Note that you can create as many import connections as you like. You can use multiple LDAP providers or import users from the Business Data Catalogue if you want to. In the case of additional LDAP providers you will have to add these to the web.config files as you did before.

Import The User Profiles

Now you're ready to import your LDAP users into SharePoint's User Profile database. Go back to the User Profiles and properties screen and start a full import. Once it starts enumerating you should see user profiles being imported into SharePoint. When the import is complete, click "View Profiles" to see what's been imported. Note that the account names start with the LDAP provider name you used. Your accounts will probably look like this: [Ldap Membership Provider Name]:[LDAP unique user ID]. A potential gotcha is that you may find you are missing users after you do imports. I had this problem when I specified the value "uid" for the userDNAttribute and userNameAttribute attributes and after switching it to "cn" the import returned everybody. If you run into issues like this, use your LDAP tool to try to identify accounts that may be set up incorrectly or are missing attributes you are importing on.

At this point, SharePoint should at least be importing your eDirectory users into the User Profile database. The next step is getting them to authenticate.

Page 1 | Page 2 | Page 3